华为VPN技术

LKAI.2024-11-20 23:08

1. 启动设备

2. 配置IP地址

FW1\]int g1/0/0 \[FW1-GigabitEthernet1/0/0\]ip add 192.168.1.254 24 \[FW1-GigabitEthernet1/0/0\]int g1/0/1 \[FW1-GigabitEthernet1/0/1\]ip add 100.1.1.1 24 \[FW1-GigabitEthernet1/0/1\]service-manage ping permit \[FW2\]int g1/0/0 \[FW2-GigabitEthernet1/0/0\]ip add 192.168.2.254 24 \[FW2-GigabitEthernet1/0/0\]int g1/0/1 \[FW2-GigabitEthernet1/0/1\]ip add 200.1.1.2 24 \[FW2-GigabitEthernet1/0/1\]service-manage ping permit \[AR1\]int g0/0/0 \[AR1-GigabitEthernet0/0/0\]ip add 100.1.1.2 24 \[AR1-GigabitEthernet0/0/0\]int g0/0/1 \[AR1-GigabitEthernet0/0/1\]ip add 200.1.1.1 24 **3.** **配置Tunnel接口** \[FW1\]int Tunnel 0 \[FW1-Tunnel0\]ip add 172.16.1.1 24 \[FW1-Tunnel0\]tunnel-protocol gre \[FW1-Tunnel0\]source 100.1.1.1 \[FW1-Tunnel0\]destination 200.1.1.2 \[FW2\]int Tunnel 0 \[FW2-Tunnel0\]ip add 172.16.1.2 24 \[FW2-Tunnel0\]tunnel-protocol gre \[FW2-Tunnel0\]source 200.1.1.2 \[FW2-Tunnel0\]destination 100.1.1.1 **4.** **将防火墙接口加入指定区域** \[FW1\]firewall zone trust \[FW1-zone-trust\]add int g1/0/0 \[FW1-zone-trust\]q \[FW1\]firewall zone untrust \[FW1-zone-untrust\]add int g1/0/1 \[FW1-zone-untrust\]add int Tunnel 0 \[FW2\]firewall zone trust \[FW2-zone-trust\]add int g1/0/0 \[FW2-zone-trust\]q \[FW2\]firewall zone untrust \[FW2-zone-untrust\]add int g1/0/1 \[FW2-zone-untrust\]add int Tunnel 0 **5.** **配置OSPF** \[FW1\]ospf 1 \[FW1-ospf-1\]area 0 \[FW1-ospf-1-area-0.0.0.0\]network 100.1.1.0 0.0.0.255 \[AR1\]ospf 1 \[AR1-ospf-1\]area 0 \[AR1-ospf-1-area-0.0.0.0\]network 100.1.1.0 0.0.0.255 \[AR1-ospf-1-area-0.0.0.0\]network 200.1.1.0 0.0.0.255 \[FW2\]ospf 1 \[FW2-ospf-1\]area 0 \[FW2-ospf-1-area-0.0.0.0\]network 200.1.1.0 0.0.0.255 **6.** **配置路由条目** \[FW1\]ip route-static 192.168.2.0 24 Tunnel 0 \[FW2\]ip route-static 192.168.1.0 24 Tunnel 0 **7.** **配置防火墙策略** \[FW1\]security-policy \[FW1-policy-security\]rule name local-untrust \[FW1-policy-security-rule-local-untrust\]source-zone local \[FW1-policy-security-rule-local-untrust\]destination-zone untrust \[FW1-policy-security-rule-local-untrust\]source-address 100.1.1.0 0.0.0.255 \[FW1-policy-security-rule-local-untrust\]destination-address 200.1.1.0 0.0.0.255 \[FW1-policy-security-rule-local-untrust\]action permit \[FW1-policy-security-rule-local-untrust\]q \[FW1-policy-security\]rule name untrust-local \[FW1-policy-security-rule-untrust-local\]source-zone untrust \[FW1-policy-security-rule-untrust-local\]destination-zone local \[FW1-policy-security-rule-untrust-local\]source-address 200.1.1.0 0.0.0.255 \[FW1-policy-security-rule-untrust-local\]destination-address 100.1.1.0 0.0.0.255 \[FW1-policy-security-rule-untrust-local\]action permit \[FW1-policy-security-rule-untrust-local\]q \[FW1-policy-security\]rule name trust-untrust \[FW1-policy-security-rule-trust-untrust\]source-zone trust \[FW1-policy-security-rule-trust-untrust\]destination-zone untrust \[FW1-policy-security-rule-trust-untrust\]source-address 192.168.1.0 0.0.0.255 \[FW1-policy-security-rule-trust-untrust\]action permit \[FW1-policy-security-rule-trust-untrust\]q \[FW1-policy-security\]rule name untrust-trust \[FW1-policy-security-rule-untrust-trust\]source-zone untrust \[FW1-policy-security-rule-untrust-trust\]destination-zone trust \[FW1-policy-security-rule-untrust-trust\]action permit \[FW2\]security-policy \[FW2-policy-security\]rule name untrust-local \[FW2-policy-security-rule-untrust-local\]source-zone untrust \[FW2-policy-security-rule-untrust-local\]destination-zone local \[FW2-policy-security-rule-untrust-local\]action permit \[FW2-policy-security-rule-untrust-local\]q \[FW2-policy-security\]rule name local-untrust \[FW2-policy-security-rule-local-untrust\]source-zone local \[FW2-policy-security-rule-local-untrust\]destination-zone untrust \[FW2-policy-security-rule-local-untrust\]action permit \[FW2-policy-security-rule-local-untrust\]q \[FW2-policy-security\]rule name trust-untrust \[FW2-policy-security-rule-trust-untrust\]source-zone trust \[FW2-policy-security-rule-trust-untrust\]destination-zone untrust \[FW2-policy-security-rule-trust-untrust\]source-address 192.168.2.0 0.0.0.255 \[FW2-policy-security-rule-trust-untrust\]action permit \[FW2-policy-security-rule-trust-untrust\]q \[FW2-policy-security\]rule name untrust-trust \[FW2-policy-security-rule-untrust-trust\]source-zone untrust \[FW2-policy-security-rule-untrust-trust\]destination-zone trust \[FW2-policy-security-rule-untrust-trust\]source-address 192.168.1.0 0.0.0.255 \[FW2-policy-security-rule-untrust-trust\]action permit **8.** **配置NAT策略** \[FW1\]nat-policy \[FW1-policy-nat\]rule name trust-untrust \[FW1-policy-nat-rule-trust-untrust\]source-zone trust \[FW1-policy-nat-rule-trust-untrust\]destination-zone untrust \[FW1-policy-nat-rule-trust-untrust\]source-address 192.168.1.0 0.0.0.255 \[FW1-policy-nat-rule-trust-untrust\]action source-nat easy-ip \[FW2\]nat-policy \[FW2-policy-nat\]rule name trust-untrust \[FW2-policy-nat-rule-trust-untrust\]source-zone trust \[FW2-policy-nat-rule-trust-untrust\]destination-zone untrust \[FW2-policy-nat-rule-trust-untrust\]source-address 192.168.2.0 0.0.0.255 \[FW2-policy-nat-rule-trust-untrust\]action source-nat easy-ip **验证：** **1.pc2ping** **通pc1** ![](https://i-blog.csdnimg.cn/direct/a732c73bc621449690661d69fffe9810.png) **2.** **查看FW2防火墙会话表（看GRE协议的数据包走向）** ![](https://i-blog.csdnimg.cn/direct/cfd17827e61a47968bcf9fdb0043c93a.png) **3.** **查看NAT地址转换（pc2ping100.1.1.1时，查看防火墙会话表，可以看到私网地址转换成200.1.1.2后访问100.1.1.1）** ![](https://i-blog.csdnimg.cn/direct/98bd075ad39c4a01834d152e183ac23a.png) **4.** **抓FW2G1/0/1端口的包查看（GRE的端口是47）** ![](https://i-blog.csdnimg.cn/direct/324da126ab134f369df65e5ecfb4c322.png)

上一篇：Redis ZSet 类型深度解析：底层数据结构与应用场景

下一篇：【话题】抓住鸿蒙生态崛起的机遇：挑战与对策

热门推荐

01【图像处理与机器视觉】XJTU期末考点 02从零安装 LLaMA-Factory 微调 Qwen 大模型成功及所有的坑 03KGG转MP3工具|非KGM文件|解密音频 04海康Visionmaster-常见问题排查方法-启动阶段 05YOLOv8入门 | 重要性能衡量指标、训练结果评价及分析及影响mAP的因素【发论文关注的指标】06【SpeedAI科研小助手】2分钟极速解决知网维普重复率、AIGC率过高，一键全文降！文件格式不变，公式都保留的！07R-tree详解 08Coze扣子平台完整体验和实践（附国内和国际版对比）09DeepSeek各版本说明与优缺点分析 10ICASSP2025 SPGC Challenge认知衰退挑战赛——通过自发语音的认知能力下降预测与识别（PROCESS）信号处理大奖赛